cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to stop logon token re-usability in SAP Business Intelligence 4.2

former_member584288
Explorer

on ‎01-30-2019 3:15 PM

0 Kudos

Hi,

I am calling the open document URL from a JAVA portal web application.

For SSO, I am generating a token and passing as a parameter along with the open document URL.

The issue is the token which I generated can be used multiple times and initializing multiple sessions.

This seems a vulnerability since the token can be captured along with URL and reused.

I would like to know is there a way to restrict the token to be used only once to create a session on the BO server?

I have gone through lot of forums and open document developer guide and BO admin guide and applied timeout setting on the JAVA code used for calling restful api also configured enterprise token timeout setting in WACS . But the time can be controlled still re-usability exists.

I need the server in the way that only there should be authentication between the Portal application and BO server. Also if the token is captured that could not be used for second time.

Can some one suggest a way to handle this?

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (2)

Answers (2)

daniel_paulsen
Active Contributor
‎01-30-2019 3:31 PM
0 Kudos

Hi Naveen,

If you are creating your logon token using enterpriseSesion.CreateWCAToken() then this token can be shared without increasing the license count and it is invalidated after logoff is called or it times out.

What you are most likely looking for is enterpriseSession.CreateLogonToken("", numMin,numUses) where you can specify the number of times that the token can be reused as well as the number of minutes that it can be use for.

This token will consume a license when used so you would want to log off your existing session in your portal application before re-directing to openDocument.

Dan

Show replies
Show replies
DellSC
Active Contributor
‎01-30-2019 3:27 PM
0 Kudos

Yes, it is possible with a token generated through the Java SDK with a call to:

IEnterpriseSession.getLogonTokenMgr().createLogonToken(java.lang.String clientComputerName, int validMinutes, int validNumOfLogons)

I usually pass an empty string as the clientComputerName parameter. You would set the validMinutes and validNumOfLogons appropriate to your application. You need to make sure that the validMinutes parameter is long enough that the user can do what they need to with the report.

-Dell

Show replies
Show replies
former_member584288
Explorer
‎01-31-2019 7:13 AM
0 Kudos

Thanks dell.stinnett-christy .

The same has been followed in the code. Though the valid minutes and the logons set to 1 still I can generated the report multiple times with the same token.

DellSC
Active Contributor
‎01-31-2019 1:59 PM
0 Kudos

Are you trying this on the same computer and browser session? Before or after you close the original OpenDocument call? If you're not using a different browser or computer, you will see this behavior because the session stays in memory and gets re-used from there.

-Dell

Ask a Question